Vulnerability Database

349,003

Total vulnerabilities in the database

OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` — openclaw

Improper Resource Shutdown or Release

> Fixed in OpenClaw 2026.3.24, the current shipping release.

Advisory Details

Title: Incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in !stop Chat Command via shell-utils.ts

Description:

Summary

The !stop (and /bash stop) chat command kills background bash processes using SIGKILL directly, without first sending SIGTERM to allow graceful shutdown. This is because bash-command.ts imports killProcessTree() from src/agents/shell-utils.ts, which still contains the pre-CVE-2026-27486 aggressive kill logic, rather than from the patched src/process/kill-tree.ts.

Details

CVE-2026-27486 fixed unsafe process termination by introducing a graceful shutdown sequence in src/process/kill-tree.ts — sending SIGTERM first, waiting a configurable grace period (default 3 seconds), then escalating to SIGKILL only if the process is still alive.

However, an identical copy of the unpatched killProcessTree function remains in src/agents/shell-utils.ts (lines 170–192). This function sends SIGKILL immediately with no SIGTERM:

// src/agents/shell-utils.ts:170-192 export function killProcessTree(pid: number): void { // ... Windows handling ... try { process.kill(-pid, "SIGKILL"); // Immediate hard kill, no SIGTERM } catch { try { process.kill(pid, "SIGKILL"); } catch { // process already dead } } }

The !stop chat command handler in src/auto-reply/reply/bash-command.ts imports and calls this vulnerable version at line 302:

// src/auto-reply/reply/bash-command.ts:5 import { killProcessTree } from "../../agents/shell-utils.js"; // src/auto-reply/reply/bash-command.ts:300-304 const pid = running.pid ?? running.child?.pid; if (pid) { killProcessTree(pid); // Calls the UNPATCHED version } markExited(running, null, "SIGKILL", "failed");

Compare this to the patched version in src/process/kill-tree.ts:

// src/process/kill-tree.ts:46-78 function killProcessTreeUnix(pid: number, graceMs: number): void { // Step 1: Try graceful SIGTERM to process group try { process.kill(-pid, "SIGTERM"); } catch { /* ... */ } // Step 2: Wait grace period, then SIGKILL if still alive setTimeout(() => { if (isProcessAlive(-pid)) { try { process.kill(-pid, "SIGKILL"); } catch { /* ... */ } } }, graceMs).unref(); }

PoC

This PoC demonstrates the difference between the vulnerable and patched code paths inside a running OpenClaw Gateway container.

Setup:

# Build and start the gateway container cd CVE-2026-27486-variant-exp/ docker compose up -d sleep 5

Exploit (vulnerable killProcessTree from shell-utils.ts):

The following script is injected into the container and executed. It starts a bash process that traps SIGTERM for graceful shutdown, then kills it using the same code path as !stop:

// exploit_sigkill.cjs — replicates src/agents/shell-utils.ts:183-190 const { spawn } = require('child_process'); const fs = require('fs'); try { fs.unlinkSync('/tmp/graceful_shutdown.txt'); } catch {} const child = spawn('/bin/bash', ['-c', 'trap \'echo GRACEFUL_SHUTDOWN > /tmp/graceful_shutdown.txt; exit 0\' SIGTERM; while true; do sleep 1; done' ], { detached: true, stdio: 'ignore' }); child.unref(); setTimeout(() => { // VULNERABLE: same as shell-utils.ts — SIGKILL only try { process.kill(-child.pid, 'SIGKILL'); } catch { try { process.kill(child.pid, 'SIGKILL'); } catch {} } setTimeout(() => { if (fs.existsSync('/tmp/graceful_shutdown.txt')) { console.log('[BLOCKED] SIGTERM was received.'); process.exit(1); } else { console.log('[EXPLOITED] SIGKILL sent directly — SIGTERM never delivered.'); process.exit(0); } }, 2000); }, 1000);

Run:

python3 poc_exploit.py

Log of Evidence

Exploit output (SIGKILL only, no graceful shutdown):

[*] Running exploit (vulnerable killProcessTree from shell-utils.ts)... [*] Victim PID: 78 [*] Calling vulnerable killProcessTree (SIGKILL only, no SIGTERM)... [EXPLOITED] SIGKILL sent directly — SIGTERM never delivered. [EXPLOITED] Graceful shutdown handler was NEVER invoked. [SUCCESS] CVE-2026-27486 variant confirmed: killProcessTree() in shell-utils.ts sends immediate SIGKILL, bypassing the graceful shutdown fix in process/kill-tree.ts.

Control output (SIGTERM first, graceful shutdown works):

[*] Running control (patched killProcessTree from process/kill-tree.ts)... [*] Victim PID: 93 [*] Calling patched killProcessTree (SIGTERM first, then SIGKILL after grace)... [NORMAL] SIGTERM received — graceful shutdown completed. Flag: GRACEFUL_SHUTDOWN [NORMAL] Control confirmed: patched killProcessTree sends SIGTERM first, allowing graceful shutdown before escalating to SIGKILL.

Impact

When !stop is used, background processes are killed instantly via SIGKILL with no chance to perform cleanup. This can result in:

  • Data corruption: processes writing to files or databases are interrupted mid-write
  • Resource leaks: temporary files, lock files, and network connections are not properly released
  • Security-sensitive cleanup skipped: operations like erasing in-memory secrets or completing audit logs are bypassed

This is the same class of impact that CVE-2026-27486 was filed for — the fix simply missed the shell-utils.ts copy of the function.

Affected products

  • Ecosystem: npm
  • Package name: openclaw
  • Affected versions: <= 2026.3.14
  • Patched versions: <None>

Severity

  • Severity: Medium
  • Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Weaknesses

  • CWE: CWE-404: Improper Resource Shutdown or Release

Occurrences

| Permalink | Description | | :--- | :--- | | https://github.com/moltbot/moltbot/blob/f2849c2417/src/agents/shell-utils.ts#L170-L192 | The vulnerable killProcessTree function that sends immediate SIGKILL without SIGTERM. | | https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L5 | Import statement pulling the vulnerable killProcessTree from shell-utils.ts instead of the patched kill-tree.ts. | | https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L300-L304 | The !stop handler calling the vulnerable killProcessTree(pid). | | https://github.com/moltbot/moltbot/blob/f2849c2417/src/process/kill-tree.ts#L46-L78 | The patched killProcessTreeUnix with graceful SIGTERM → grace period → SIGKILL sequence (for reference). |

  • Published: Mar 30, 2026
  • Updated: Mar 31, 2026
  • GHSA: GHSA-3298-56p6-rpw2
  • Severity: Medium
  • Exploit:
  • CISA KEV:

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWEs:

Software From Fixed in
Node.js icon openclaw - 2026.3.24

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.